Today's automated industrial control system (ICS) is a complex cyber-physical system. It includes computer elements that control devices and integral units as well as physical equipment, which expands the attack surface and offers hackers countless opportunities to disrupt the system. They can target both the information infrastructure and the controllers of the digital environment or physically intervene in the production process. Attacks on a cyber-physical system are generally far more complicated than conventional cyber attacks.

Attacks carried out via information systems are more or less easy to handle. It is sufficient to carefully monitor the information flows between the programmable logic controller and the SCADA system. But what happens when attackers use signals to disrupt communication between industrial sensors and controllers? What if the sensor data is replaced or the sensor itself is destroyed? Kaspersky Lab has developed a machine learning technology to help detect such attacks.

Protect operating processes efficiently

The technology used is called Machine Learning for Anomaly Detection (MLAD). Everything that is needed for this technology to work properly is basically already available in most industrial plants today. After all, the entire production process is already equipped with sensors. The modern automated ICS receives vast amounts of telemetry data; tens of thousands of tags coming from different sources are typically updated ten times per second. In addition, information about normal system operation is collected and stored for years - the ideal conditions for applying machine learning.

Due to the laws of physics, all process signals in the system are interconnected. For example, if the sensor of a valve indicates a blockage, the sensors at another point should indicate a corresponding change in pressure, volume or temperature. All these indicators are interrelated. The slightest change in the production process leads to different readings for many sensors. The machine learning system - trained on data collected under normal operating conditions - can investigate these correlations. In addition, the MLAD engine can operate in a self-learning mode if new data that was not previously considered is made available. The result: anomalies in the production process can be identified.

How it works in practice

The Kaspersky Industrial Cybersecurity solution monitors process traffic via Deep Packet Inspection (DPI) and thus has access to sensor and command data. This information is analyzed in real time by the MLAD system to predict what the normal system state should be in the short term, with the ability to adjust the exact timing of the prediction. This prediction is possible because the MLAD system is trained on data collected under normal operating conditions. Of course, the forecast can and will differ from reality. The question is how big this difference is. During the learning process, the system calculates limit values of the forecast error. In this case, deviations are regarded as an anomaly.

MLAD is adapted to Kaspersky Industrial CyberSecurity at the protocol level and requires telemetry data, which is provided by Kaspersky Industrial CyberSecurity, but can theoretically be switched to the use of technical data from other solutions at any time.

Adaptation to the production process

In contrast to an expert system, which operates according to a set of strictly defined rules, a security solution based on machine learning algorithms offers more flexibility. In order for an expert system to function under different operating conditions, its rules are often generalized, which can delay the security response. A system based on machine learning does not have this shortcoming.

Flexibility is also particularly important if the company needs to adapt the production process. With a machine learning system, it is not necessary to change the security system - it is sufficient to simply retrain MLAD. In addition, Kaspersky Industrial Cybersecurity works with double data traffic, which means that the solution does not directly affect the production process.

The following example serves as a demonstration: A detailed mathematical model of Tennessee Eastman's industrial chemical process has been circulating on the Internet for some time. It is often used for presentation purposes and for fine-tuning control models. Kaspersky Lab used this model as a basis to simulate the functioning of the MLAD module in a corporate attack in which sensor data, commands and logical parameters, among other things, were replaced - with success. am

Hanover Fair, Hall 6, Stand D15